cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
5
Helpful
28
Replies

Cisco ASA 9.16 Ikev1 site to site -> PFSense

linuxman
Beginner
Beginner

I am trying to setup a L2L IPSec VPN between a Cisco ASA and an PfSense software firewall. The VPN tunnel comes up but the issue is that something in my ASA will not let the local traffic go through the tunnel.

When I ping from the PfSense side, I see the traffic is going through the tunnel and hits the ASA, but the ASA is unable to respond.

This is how I configured my ASA (relevant portions)

 

 

crypto ipsec ikev1 transform-set TFS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set DALLAS esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYNMAP 1 set ikev1 transform-set TFS
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
crypto map CMAP 3 match address DALLAS
crypto map CMAP 3 set peer 123.123.123.123
crypto map CMAP 3 set ikev1 transform-set DALLAS
crypto map CMAP interface WAN
crypto ca trustpool policy
crypto ikev1 enable WAN
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime none
crypto ikev1 policy 2
 authentication pre-share
 encryption aes
 hash sha
 group 14
 lifetime none
crypto ikev1 policy 3
 authentication pre-share
 encryption aes-256
 hash sha
 group 14
 lifetime none
---
---
access-list SPLITTUNNEL standard permit 192.168.0.0 255.255.255.0 
access-list DALLAS extended permit ip object LAN object DALLAS_IP 
access-list DALLAS extended permit ip object DALLAS_IP object LAN
---
---
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *****
---
---
nat (GI5,WAN) source static LAN LAN destination static VPN VPN no-proxy-arp route-lookup
nat (GI4,WAN) source static LAN LAN destination static VPN VPN no-proxy-arp route-lookup
nat (GI6,WAN) source dynamic LAN interface
nat (GI2,WAN) source dynamic LAN interface
nat (GI3,WAN) source dynamic LAN interface
nat (GI4,WAN) source dynamic LAN interface
nat (GI7,WAN) source dynamic LAN interface
nat (GI8,WAN) source dynamic LAN interface
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
!
object network GI5
 nat (GI5,WAN) dynamic interface

 

 

What I have tried

1. Adding static route route WAN 192.168.100.0 255.255.255.0 123.123.123.123

2. Added different NAT rules to nat the LAN to the DALLAS_IP remote subnet.

Now this is what I get when I try running a packet trace.

 

 

ASA(config)# packet-tracer input GI5 icmp 192.168.0.25 1 1 192.168.100.99

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.100.99/0 to 192.168.100.99/0

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
              
Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW 
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: GI5
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556b4d48c9f5 flow (NA)/NA

 

 

Now with an error like that claiming it is an ACL denying traffic is confusing when the PfSense firewall has the correct ACL's configured as well as the ASA. I'm basically mentally defeated at this point by a black metal box and have no idea what could possibly be the issue... Any ideas?

28 Replies 28

you need to change packet-tracer to be 

packet-tracer input GI5 icmp 192.168.0.25  8  0 192.168.100.99 detial 

 share output here 

This is what I'm getting.

ASA(config)# packet-tracer input GI5 icmp 192.168.0.25 8 0 192.168.10$

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e265f1c60, priority=1, domain=permit, deny=false
	hits=478727, user_data=0x0, cs_id=0x0, l3_type=0x8
	src mac=0000.0000.0000, mask=0000.0000.0000
	dst mac=0000.0000.0000, mask=0100.0000.0000
	input_ifc=GI5, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.100.99/0 to 192.168.100.99/0

Phase: 3      
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
 Forward Flow based lookup yields rule:
 in  id=0x7f1e279f2700, priority=6, domain=nat, deny=false
	hits=68, user_data=0x7f1e277a8e90, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
	hits=131048, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e26604200, priority=0, domain=inspect-ip-options, deny=true
	hits=56457, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=GI5, output_ifc=any

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
 Forward Flow based lookup yields rule:
 in  id=0x7f1e279f2700, priority=6, domain=nat, deny=false
	hits=69, user_data=0x7f1e277a8e90, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
	hits=131049, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e2682daf0, priority=0, domain=inspect-ip-options, deny=true
	hits=31822, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=LAN, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e27884e20, priority=70, domain=inspect-icmp, deny=false
        hits=198, user_data=0x7f1e27879e70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=LAN, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e2682d300, priority=66, domain=inspect-icmp-error, deny=false
	hits=218, user_data=0x7f1e2682cb90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=LAN, output_ifc=any

Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f1e278beb40, priority=70, domain=encrypt, deny=false
	hits=245, user_data=0x0, cs_id=0x7f1e26857d10, reverse, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

Result:
input-interface: GI5
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556b4d48c9f5 flow (NA)/NA

crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
crypto map CMAP 3 match address DALLAS
crypto map CMAP 3 set peer 123.123.123.123
crypto map CMAP 3 set ikev1 transform-set DALLAS

why there are two CMAP seq  1 & 3 ?

CMAP 1 is for the remote access VPN clients.

Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f1e278beb40, priority=70, domain=encrypt, deny=false
	hits=245, user_data=0x0, cs_id=0x7f1e26857d10, reverse, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

user_data=0x0 
this meaning that there is no IPSec SA active 
can you show 
show vpn-sessiondb l2l detail 

Looks like it's active to me.

ASA# show vpn-sessiondb l2l       

Session Type: LAN-to-LAN

Connection   : 123.123.123.123
Index        : 41                     IP Addr      : 123.123.123.123
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 512607
Login Time   : 23:00:37 CST Tue Nov 29 2022
Duration     : 20h:05m:30s

 

 

ASA# show vpn-sessiondb l2l       

Session Type: LAN-to-LAN

Connection   : 123.123.123.123
Index        : 41                     IP Addr      : 123.123.123.123
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 512607
Login Time   : 23:00:37 CST Tue Nov 29 2022
Duration     : 20h:05m:30s

 

 

Bytes Tx :0 <<<-- this what I looking for the tunnel not forward traffic toward the tunnel.

we check the UN-NAT and it work 
other is traffic not hit the ACL of IPsec L2L 
can you show access-list 
check if there is hit or not ?

note:- also double check the route toward remote Peer 

This is what show access-list outputs.

 

ASA(config)# show access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE_IN; 4 elements; name hash: 0xe01d8199
access-list OUTSIDE_IN line 1 extended permit tcp any object FORWARD_HTTP eq www (hitcnt=0) 0xdca8b5be 
  access-list OUTSIDE_IN line 1 extended permit tcp any host 192.168.0.25 eq www (hitcnt=0) 0xdca8b5be 
access-list OUTSIDE_IN line 2 extended permit tcp any object FORWARD_HTTPS eq https (hitcnt=6) 0x358fc38e 
  access-list OUTSIDE_IN line 2 extended permit tcp any host 192.168.0.25 eq https (hitcnt=6) 0x358fc38e 
access-list OUTSIDE_IN line 3 extended permit tcp any object FORWARD_PLEX eq 32400 (hitcnt=0) 0x02dbbe97 
  access-list OUTSIDE_IN line 3 extended permit tcp any host 192.168.0.25 eq 32400 (hitcnt=0) 0x02dbbe97 
access-list OUTSIDE_IN line 4 extended permit tcp object-group ALLOWED_SSH_HOSTS object FORWARD_SSH eq ssh (hitcnt=0) 0x50240153 
  access-list OUTSIDE_IN line 4 extended permit tcp host 111.111.111.111 host 192.168.0.25 eq ssh (hitcnt=0) 0x1a38431d 
access-list SPLITTUNNEL; 1 elements; name hash: 0xbd0c67f8
access-list SPLITTUNNEL line 1 standard permit 192.168.0.0 255.255.255.0 (hitcnt=0) 0x2d433d36 
access-list DALLAS; 2 elements; name hash: 0x676a0fd4
access-list DALLAS line 1 extended permit ip object LAN object DALLAS_IP (hitcnt=11436) 0xbc190b6c 
  access-list DALLAS line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=11436) 0xbc190b6c 
access-list DALLAS line 2 extended permit ip object DALLAS_IP object LAN (hitcnt=0) 0x1c3a78c2 
  access-list DALLAS line 2 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0x1c3a78c2 

 

Currently I do not have a route, it did not work the last time I did it but I can try adding it again. Perhaps I added it the wrong way.

Previously I was adding the route like this: route WAN 192.168.100.0 255.255.255.0 123.123.123.123

 

 

 When I try to add "tunneled" at the end, i get this error "ERROR: tunneled option cannot be specified for non-default routes".

you use

crypto map CMAP 3 match address DALLAS

 

access-list DALLAS line 1 extended permit ip object LAN object DALLAS_IP (hitcnt=11436) 0xbc190b6c 
  access-list DALLAS line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=11436) 0xbc190b6c 
access-list DALLAS line 2 extended permit ip object DALLAS_IP object LAN (hitcnt=0) 0x1c3a78c2 
  access-list DALLAS line 2 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0x1c3a78c2

and I see two line for DALLAS ???
that what make issue here
you need only one line  the ACL is biditional it check the traffic two way so you need only one.
the acl must be 
access-list DALLAS extended permit ip object-group  LOCAL-LAN object-group REMOTE-LAN 

that it no need second line.

for route keep as it was before there is not issue with route there is issue with ACL as I mention below

Alrighty, so I removed the inverse ACL I had previously so the DALLAS ACL looks like this now:

access-list DALLAS extended permit ip object LAN object DALLAS_IP

I re-added the route I mentioned - route WAN 192.168.100.0 255.255.255.0 123.123.123.123

Restarted the tunnel and I still see the same with show vpn-sessiondb l2l.

ASA(config)# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 123.123.123.123
Index        : 109                    IP Addr      : 123.123.123.123
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 0                      Bytes Rx     : 22932
Login Time   : 09:14:25 CST Fri Dec 2 2022
Duration     : 0h:04m:39s

I have a ping running on both ends of the tunnel.

Now show access-list only shows one DALLAS.

access-list DALLAS; 1 elements; name hash: 0x676a0fd4
access-list DALLAS line 1 extended permit ip object LAN object DALLAS_IP (hitcnt=17658) 0xbc190b6c 
  access-list DALLAS line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=17658) 0xbc190b6c

And running packet tracer shows this:

ASA(config)# packet-tracer input GI5 icmp 192.168.0.25  8  0 192.168.100.99 detailed

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e265f1c60, priority=1, domain=permit, deny=false
	hits=7168014, user_data=0x0, cs_id=0x0, l3_type=0x8
	src mac=0000.0000.0000, mask=0000.0000.0000
	dst mac=0000.0000.0000, mask=0100.0000.0000
	input_ifc=GI5, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
NAT divert to egress interface WAN
Untranslate 192.168.100.99/0 to 192.168.100.99/0

Phase: 3      
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
 Forward Flow based lookup yields rule:
 in  id=0x7f1e26874db0, priority=6, domain=nat, deny=false
	hits=898, user_data=0x7f1e26863260, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
	hits=1530065, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e26604200, priority=0, domain=inspect-ip-options, deny=true
	hits=593317, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=GI5, output_ifc=any

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP
Additional Information:
Static translate 192.168.0.25/0 to 192.168.0.25/0
 Forward Flow based lookup yields rule:
 in  id=0x7f1e26874db0, priority=6, domain=nat, deny=false
	hits=899, user_data=0x7f1e26863260, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e25079ad0, priority=0, domain=nat-per-session, deny=true
	hits=1530066, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e2682daf0, priority=0, domain=inspect-ip-options, deny=true
	hits=244400, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=LAN, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e27884e20, priority=70, domain=inspect-icmp, deny=false
        hits=1263, user_data=0x7f1e27879e70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=LAN, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1e2682d300, priority=66, domain=inspect-icmp-error, deny=false
	hits=1434, user_data=0x7f1e2682cb90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=LAN, output_ifc=any

Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f1e278beb40, priority=70, domain=encrypt, deny=false
	hits=1145, user_data=0x0, cs_id=0x7f1e26857d10, reverse, flags=0x0, protocol=0
	src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=any
	dst ip/id=192.168.100.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=WAN

Result:
input-interface: GI5
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000556b4d48c9f5 flow (NA)/NA

Now, one thing is Cisco's documentation for ASA v9.16 does not say to add a no-nat rule like I did, could this also be making things difficult?

NAT rule I'm referring to - nat (any,WAN) source static LAN LAN destination static DALLAS_IP DALLAS_IP

Every think is fine you only need to clear crypto to make both peer exchange the new ACL (proxy)
clear crypto isakmp 
clear crypto ipsec sa 

I re-added the route I mentioned - route WAN 192.168.100.0 255.255.255.0 123.123.123.123 <<-you not need to modify static route 

 

Ok, I cleared it but so far doesn't seem to ping across, still... vpn-sessiondb looks the same.

just try ping now from real device in local LAN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers